在运行 systemd 的 Linux 机器上,有什么方法可以查看什么或谁发出了关闭或重新启动的命令?
答案1
使用 . 检查上次启动的系统日志sudo journalctl -b -1 -e。
检查/var/log/auth.log。
您确定这不是“电源中断/尖峰”、“CPU 过热”之一……
在我的系统(Ubuntu 16.04,6)上,
sudo journalctl | grep shutdown
Jan 29 12:58:07 bat sudo[14365]: walt : TTY=pts/0 ; PWD=/home/walt ; USER=root ; COMMAND=/sbin/shutdown now
Feb 12 11:23:59 bat systemd[1]: Stopped Ubuntu core (all-snaps) system shutdown helper setup service.
Feb 19 09:35:18 bat ureadahead[437]: ureadahead:lxqt-session_system-shutdown.png: Ignored relative path
Feb 19 09:35:18 bat ureadahead[437]: ureadahead:gshutdown_gshutdown.png: Ignored relative path
Feb 19 09:35:18 bat ureadahead[437]: ureadahead:mate-gnome-main-menu-applet_system-shutdown.png: Ignored relative path
Feb 27 16:45:40 bat systemd-shutdown[1]: Sending SIGTERM to remaining processes...
Mar 05 17:53:27 bat systemd-shutdown[1]: Sending SIGTERM to remaining processes...
Mar 15 09:57:45 bat systemd[1]: Stopped Ubuntu core (all-snaps) system shutdown helper setup service.
Mar 21 17:40:30 bat systemd[1]: Stopped Ubuntu core (all-snaps) system shutdown helper setup service.
Apr 15 18:16:37 bat systemd[1]: Stopped Ubuntu core (all-snaps) system shutdown helper setup service.
...
第一行显示用户walt执行操作的时间sudo shutdown now。
答案2
简而言之,仅根用户或root特权用户可以关闭/重启系统。
- 运行
last -x命令来查找操作的时间戳
root@personal:~# last -x
ubuntu pts/0 116.102.181.245 Wed Dec 18 16:28 still logged in
runlevel (to lvl 5) 4.15.0-1047-aws Wed Dec 18 16:27 still running
reboot system boot 4.15.0-1047-aws Wed Dec 18 16:27 still running
shutdown system down 4.15.0-1047-aws Wed Dec 18 16:27 - 16:27 (00:00)
ubuntu pts/0 116.102.181.245 Wed Dec 18 16:25 - 16:27 (00:02)
runlevel (to lvl 5) 4.15.0-1047-aws Wed Dec 18 16:24 - 16:27 (00:03)
- 根据
last -x结果,找到一些最近登录的用户,切换到该用户并检查历史记录
root@personal:~# su - ubuntu
ubuntu@personal:~$ history 10
312 dig @1.1.1.1 xxx +short
313 dig @8.8.8.8 xxx +short
314 dig @8.8.4.4 xxx +short
315 exit
316 sudo su -
317 sudo reboot
318 sudo su -
319 history
320 last -x
321 history 10
- 或者检查日志
journalctl
root@personal:~# journalctl | grep reboot
Sep 05 03:07:04 ip-172-31-36-28 cron[710]: (CRON) INFO (Running @reboot jobs)
Sep 05 13:49:11 personal python3[21347]: ansible-command Invoked with _raw_params=sleep 10 && reboot _uses_shell=True warn=True stdin_add_newline=True strip_empty_ends=True argv=None chdir=None executable=None creates=None removes=None stdin=None
Sep 05 13:51:23 personal python3[22042]: ansible-command Invoked with _raw_params=sleep 10 && reboot _uses_shell=True warn=True stdin_add_newline=True strip_empty_ends=True argv=None chdir=None executable=None creates=None removes=None stdin=None
Sep 05 13:54:21 personal systemd-logind[715]: System is rebooting (Reboot initiated by Ansible).
Sep 05 13:54:36 personal cron[573]: (CRON) INFO (Running @reboot jobs)
Dec 18 16:24:30 personal cron[651]: (CRON) INFO (Running @reboot jobs)
Dec 18 16:27:36 personal sudo[915]: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/sbin/reboot
Dec 18 16:27:54 personal cron[641]: (CRON) INFO (Running @reboot jobs)
顺便说一句,您可以通过以下链接查看更多信息: